Take a look at the following example created by cisco configmaker.....if it works here then it looks like it is possible.....only can use des and not 3des encryption though.
!
!
service timestamps debug uptime
service timestamps log uptime
service password-encryption
no service tcp-small-servers
no service udp-small-servers
!
hostname RouterA
!
enable password 123
!
no ip name-server
!
ip subnet-zero
no ip domain-lookup
ip routing
!
! Internet Key Exchange (IKE)
!
crypto isakmp enable
crypto isakmp identity address
!
crypto isakmp policy 1
encryption des
hash md5
authentication pre-share
group 1
lifetime 86400
crypto isakmp key mysharedkey address 196.100.40.20
!
! IPSec
!
crypto ipsec transform-set cm-transformset-1 ah-md5-hmac esp-des esp-md5-hmac
crypto map cm-cryptomap local-address Serial 0
!
crypto map cm-cryptomap 1 ipsec-isakmp
match address 100
set peer 196.100.40.20
set transform-set cm-transformset-1
set security-association lifetime seconds 3600
set security-association lifetime kilobytes 4608000
!
interface Ethernet 0
no shutdown
description connected to LANA
ip address 172.23.16.1 255.255.255.0
ip nat inside
keepalive 10
!
interface Ethernet 1
no description
no ip address
shutdown
!
interface Serial 0
no shutdown
description connected to Internet
crypto map cm-cryptomap
service-module t1 clock source line
service-module t1 data-coding normal
service-module t1 remote-loopback full
service-module t1 framing esf
service-module t1 linecode b8zs
service-module t1 lbo none
service-module t1 remote-alarm-enable
ip address 60.40.50.21 255.255.255.248
ip nat outside
no ip route-cache
encapsulation ppp
!
!
access-list 100 permit ip 172.23.16.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 102 deny ip 172.23.16.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 102 permit ip 172.23.16.0 0.0.0.255 any
!
! Dynamic NAT
!
ip nat translation timeout 86400
ip nat translation tcp-timeout 86400
ip nat translation udp-timeout 300
ip nat translation dns-timeout 60
ip nat translation finrst-timeout 60
ip nat inside source list 1 interface Serial 0 overload
!
router rip
version 2
network 172.23.0.0
passive-interface Serial 0
no auto-summary
!
!
ip classless
!
! IP Static Routes
ip route 0.0.0.0 0.0.0.0 Serial 0
no ip http server
snmp-server community public RO
no snmp-server location
no snmp-server contact
!
line console 0
exec-timeout 0 0
password 123
login
!
line vty 0 4
password 123
login
!
end
service timestamps debug uptime
service timestamps log uptime
service password-encryption
no service tcp-small-servers
no service udp-small-servers
!
hostname RouterB
!
enable password 456
!
no ip name-server
!
ip subnet-zero
no ip domain-lookup
ip routing
!
! Internet Key Exchange (IKE)
!
crypto isakmp enable
crypto isakmp identity address
!
crypto isakmp policy 1
encryption des
hash md5
authentication pre-share
group 1
lifetime 86400
crypto isakmp key mysharedkey address 60.40.50.21
!
! IPSec
!
crypto ipsec transform-set cm-transformset-1 ah-md5-hmac esp-des esp-md5-hmac
crypto map cm-cryptomap local-address Serial 0
!
crypto map cm-cryptomap 1 ipsec-isakmp
match address 100
set peer 60.40.50.21
set transform-set cm-transformset-1
set security-association lifetime seconds 3600
set security-association lifetime kilobytes 4608000
!
interface Ethernet 0
no shutdown
description connected to LANB
ip address 192.168.1.1 255.255.255.0
ip nat inside
keepalive 10
!
interface Ethernet 1
no description
no ip address
shutdown
!
interface Serial 0
no shutdown
description connected to Internet
crypto map cm-cryptomap
service-module t1 clock source line
service-module t1 data-coding normal
service-module t1 remote-loopback full
service-module t1 framing esf
service-module t1 linecode b8zs
service-module t1 lbo none
service-module t1 remote-alarm-enable
ip address 196.100.40.20 255.255.255.248
ip nat outside
no ip route-cache
encapsulation ppp
!
!
Access-list 100 permit ip 192.168.1.0 0.0.0.255 172.23.16.0 0.0.0.255
access-list 102 deny ip 192.168.1.0 0.0.0.255 172.23.16.0 0.0.0.255
access-list 102 permit ip 192.168.1.0 0.0.0.255 any
!
! Dynamic NAT
!
ip nat translation timeout 86400
ip nat translation tcp-timeout 86400
ip nat translation udp-timeout 300
ip nat translation dns-timeout 60
ip nat translation finrst-timeout 60
ip nat inside source list 102 interface Serial 0 overload
!
router rip
version 2
network 192.168.1.0
passive-interface Serial 0
no auto-summary
!
!
ip classless
!
! IP Static Routes
ip route 0.0.0.0 0.0.0.0 Serial 0
no ip http server
snmp-server community public RO
no snmp-server location
no snmp-server contact
!
line console 0
exec-timeout 0 0
password 456
login
!
line vty 0 4
password 456
login
!
end
Think you can do it with 1600 but need IP PLUS IPSEC 56 feature set. 1700 series supports 3des encryption and also has built in fast ethernet port. 1600 ethernet 10base-T half duplex only.
Feature set has to be loaded on the router for it to work.......IOS image on router may not support it so therefore is not listed. I have a 1750 myself and know for a fact that it is supported with the right IOS. Just need a different IOS for router.
You need a CCO login and the way you get that is to purchase a smartnet agreement for a Cisco router that qualifies. If it has a VPN accelerator module in it then it most likely has VPN IOS.....
If a router has a VPN module then the encryption/decryption process is done in hardware, using the VPN module. If no module is present then the encryption/decryption process is done in software, using the router's cpu to accomplish this task.
IOS images supporting IPSec 3DES normally has "k9" as part of the IOS image name, ie: c1700-k9sy-mz.122-28.bin
As you can see, the part -k9sy- indicates it supports IPSec 3DES because it has the "k9" keyword as part of the IOS image name. Like joamon explained, the IOS running on the router can be gathered using the show version command.
1)The network behind our current firewall is a private subnet snat'd to a pubic internet address. If i am putting this behind this firewall than I really only need one FastEthernet port; I dont need any WIC cards or secondary FastEthernet port...there will be very little traffic. The VPN will be connected to a small network behind a checkpoint VPN/Firewall box across the Internet. Is this correct?
2) Is a 1700 series the way to go for this VPN solution or is it better to go with a PIX or some other brand?
This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
By continuing to use this site, you are consenting to our use of cookies.